Ha! No exploits for the IBM WebBrowser on my OS/2 Warp 4! It's clearly the best platform!

I have yet to see anyone hack my Abacus Mk1. From 2700BC to today - and not a single successful hack!

Yeah, but it regularly resets itself. Your data isn't safe

Has Windows Phone been entered into this? Or is it not worthwhile/interesting enough? I'd much rather these guys tear my platform to shreds than some malicious dude...

I <3 my WP, but I haven't drunk the kool aid. My "safety" from exploits is currently due to lack of interest/financial motivation, not some sort of superiority. I hope its successful in the long run, but the bigger the market share, the more attention it'll get

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An iPhone user with unsafe habits is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

You do realize that you just said exactly what his point is, right? You didn't disagree at all.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

I wanted to promote this comment, but didn't given use of the term "idiot," which turns an otherwise persuasive argument into something that's unnecessarily inflammatory.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

it wouldnt be much of a flamewar. Apple is more secure then Android for one simple fact. Apple is able to send out updates to its phones. Android on the otherhand, is limited with its updates, as they are pushed out from the phone carrier, and are few and far between.

That said, it's pretty clear iOS is the most secure mobile OS, and Nextstep er OSX may be the most secure desktop OS. it's because of extra layers.

They both start with industrial strength unix operating systems with preemptive multitasking and memory protection.

Then they interdict rogue apps by controlling delivery. OSX doesn't make app signing and store delivery mandatory, but iOS does, and it also sandboxes their data accesses.

Thst ridiculous app submission process that makes iOS such a pain to develop for, is also the reason it's so hard to spread iOS malware. You have to identify yourself with tax id, get it past a reviewer, and then find a way to get your intended targets to find it on the store among 800k other apps and download it.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

I wanted to promote this comment, but didn't given use of the term "idiot," which turns an otherwise persuasive argument into something that's unnecessarily inflammatory.

I don't think zpletan was calling all iPhone users idiots. Apple has sold millions of iPhones, I don't think it's unreasonable or inflammatory to assume that at least one of them may, in fact, be an idiot.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

I wanted to promote this comment, but didn't given use of the term "idiot," which turns an otherwise persuasive argument into something that's unnecessarily inflammatory.

I don't think zpletan was calling all iPhone users idiots. Apple has sold millions of iPhones, I don't think it's unreasonable or inflammatory to assume that at least one of them may, in fact, be an idiot.

That was the idea I was aiming for, but I did edit that part for clarity. Thanks to the both of you!

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An iPhone user with unsafe habits is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

Edit for clarity (thanks Dan!)

I would like to know how you disagree, as I also think that you are simply restating the exact same point the original poster made.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

You do realize that you just said exactly what his point is, right? You didn't disagree at all.

I would like to know how you disagree, as I also think that you are simply restating the exact same point the original poster made.

It looked to me like he was conflating safety with security. If that was the case, I disagree. If, on the other hand, he was using the terminology in the same sense I was, then I was confused and I'm very sorry; I only meant to clarify.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

I wanted to promote this comment, but didn't given use of the term "idiot," which turns an otherwise persuasive argument into something that's unnecessarily inflammatory.

I don't think zpletan was calling all iPhone users idiots. Apple has sold millions of iPhones, I don't think it's unreasonable or inflammatory to assume that at least one of them may, in fact, be an idiot.

I agree Zpletan wasn't necessarily calling all iPhone users idiots. I still think his choice of language unnecessarily steers the conversation in a personal direction. That said, it appears I'm in the minority, given the number of people upvoting you and downvoting me.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

it wouldnt be much of a flamewar. Apple is more secure then Android for one simple fact. Apple is able to send out updates to its phones. Android on the otherhand, is limited with its updates, as they are pushed out from the phone carrier, and are few and far between.

I would beg to differ. You're probably correct with (most recent iPhone or two) vs. (non-Nexus phones), but as an OS, Android is probably more secure than iOS.

That said, it's pretty clear iOS is the most secure mobile OS, and Nextstep er OSX may be the most secure desktop OS. it's because of extra layers.

I believe a number of these participants have actually explicitly said it's harder to hack Windows than OSX.

Example:

Quote:

With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

it wouldnt be much of a flamewar. Apple is more secure then Android for one simple fact. Apple is able to send out updates to its phones. Android on the otherhand, is limited with its updates, as they are pushed out from the phone carrier, and are few and far between.

I would beg to differ. You're probably correct with (most recent iPhone or two) vs. (non-Nexus phones), but as an OS, Android is probably more secure than iOS.

That said, it's pretty clear iOS is the most secure mobile OS, and Nextstep er OSX may be the most secure desktop OS. it's because of extra layers.

They both start with industrial strength unix operating systems with preemptive multitasking and memory protection.

I say this as a Unix admin - even the most hardened system has unintended functionality that the developers are unaware of. Starting with Unix is not a cure-all, just look at the number of Solaris and BSD patches there are out there.

The safest (connected) systems are those that do as little as possible. Sometimes the more layers you add, the more opportunity there is for errors. There's a reason the Galactica wasn't networked.

With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

I disagree. Safe is different from secure. Just because your house is in a good neighborhood, or your system of choice is super obscure, does not make it more secure. It simply makes it less likely to be pwned, i.e. safer. An idiot with an iPhone is less safe than a careful user with an Android model, but in general (and if I'm wrong, just go with the theoretical please; I'm not looking to turn this into a flamewar), the iPhone is still more secure than the Android phone.

it wouldnt be much of a flamewar. Apple is more secure then Android for one simple fact. Apple is able to send out updates to its phones. Android on the otherhand, is limited with its updates, as they are pushed out from the phone carrier, and are few and far between.

I would beg to differ. You're probably correct with (most recent iPhone or two) vs. (non-Nexus phones), but as an OS, Android is probably more secure than iOS.

your system is only secure when you patch the holes that are found...

And only if your patches don't have new holes. (I'm aiming my green laser pointer at Cupertino, but I'm not singling out any particular fruity company.)

With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.

This is moot, OS X has had address space layout randomization and data execution prevention (features that Charlie Miller seems to be referring to in the interview) since 2011.

True, but the point is, I think, that MS has had to do a lot of practical work hardening Windows.

I'm not sure which is more the case: don't assume Apple has it best because of *nix, or don't sell MS short because their OS is practically the front lines, so to speak. Either way, they're both improving, worlds better than MacOS and Windows 9x. That's good.

That said, it's pretty clear iOS is the most secure mobile OS, and Nextstep er OSX may be the most secure desktop OS. it's because of extra layers.

They both start with industrial strength unix operating systems with preemptive multitasking and memory protection.

I say this as a Unix admin - even the most hardened system has unintended functionality that the developers are unaware of. Starting with Unix is not a cure-all, just look at the number of Solaris and BSD patches there are out there.

The safest (connected) systems are those that do as little as possible. Sometimes the more layers you add, the more opportunity there is for errors. There's a reason the Galactica wasn't networked.

I got some security update for the libpng library on opensuse. I'm mean seriously, think of the number of images you view a day. Talk about vectors!

With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.

The Pwn2Own contest has become one of the great equalizers and the perfect antidote to any fanboy who insists that the platform he uses is the most secure.

There are two ways of looking at security. One is theoretical, one is practical.

Imagine somebody saying that House A, which has had very few attempted or successful break-ins was better-secured and in a safer neighbourhood environment than House B, which saw many more break-ins and many more successful breaches of its security.

Now imagine that some security experts came over with the necessary tools and know-how and busted into House A, bypassing its alarms and locks and exposing everything.

You would definitely be right in saying that House A was vulnerable to attack. But that wouldn't mean that the original statement, that House A was essentially safer than House B, was untrue.

Well stated. Dan is making a strawman argument about a theoretical fanboy;

Quote:

fanboy who insists that the platform he uses is the most secure.

With enough effort any operating system can be hacked. I don't think anyone on Ars claims otherwise.

But what is the risk of getting hacked for average non techie users? Typical non tech users do care about that. - On the desktop Windows has had over 90% marketshare for about two decades. As many typical users were bombarded with Windows malware in the 2000s which sometimes required multiple anti-virus programs to detect and remove, some didn't like the experience. - As with people whose houses have been broken into multiple times, victims sometimes tryto reduce the chances of a burglary or in dealing with malware. As several people have told me about their malware woes, switching an OS may be part of the choice to find a safer computing environment.

For the non tech user; Is the new OS more secure? No. But can a new OS be safer? Yes.